When configuring an Azure Virtual Network one of the most common things you'll want to do is setup a Point-to-Site VPN so that you can actually get to your servers to manage and maintain them. Azure Point-to-Site VPNs use client certificates to secure connections which can be quite complicated to configure so Microsoft has gone the extra mile to make it easy for you to configure and get setup – sadly at the cost of losing the ability to connect through the command line or through PowerShell – Let's change that.

Current state of play == No Command line VPN connections

Normally when you want to launch a VPN from the CLI or PowerShell in Windows you can simply use the following command:

When you run the Azure VPN through the command line you get this (you'll see a hint as to why I'd be using Azure Point-to-site in this screenshot):

Azure VPNs don't appear to support this.

If you want to keep your servers behind a private network in Azure and use continuous deployment to get your code into production this makes it hard to deploywithout a human being around. Not really the best case scenario – especially when you remind yourself that automated builds aim to do away with human error altogether.

They then get you to download a package for setting up the Azure VPN RAS dialler on your local machine.

This is accessed from within the Azure "Networks" page for your virtual network.

You install this package and then whenever connecting you're greeted with a connection screen that you might of seen in a previous life. And by seen I don't mean that Windows Azure Virtual Networks have been around for ages. But more that the login screen may look familiar.

This is because this login screen is a Microsoft "Connection Manager" login screen and has been around for a while.

Example from TechNet (note extremely dated Bitmap awesomeness):

Connection Manager is used to pre-package VPN and dial up connections for easy-install distribution in a large organisation. This also means we can reconstruct the underlying VPN connection and use it as a normal VPN – claiming back our CLI super powers.

Digging through the details

So what we really want to know is:

What is this mystical VPN technology the people at Microsoft have bestowed upon us?

Here's how I started getting more information about the implementation:

Within this folder is all the magic connection manager odds and ends. Apologies for the [Obfuscated], simply the path contains information to my azure endpoint.

Within this folder you'll see a bunch of files:

Most importantly there is a PBK file – a Personal Phonebook. This is what stores the connect settings for the VPN as is a commonly distributed way of sending out connection settings in the Enterprise. If you run this on its own you'll actually be able to connect to the VPN directly (without your network routes being updated).

This phonebook is where we can steal our settings from to recreate a command line driven connection.

Setting it up

Open up the properties of your Azure Point-To-Site VPN phonebook above, and copy the connection address.

It will look like this:

azuregateway-[Guid].cloudapp.net

Open Network Sharing Centre, and create a new connection. Then select Connect to a workplace.

Select that you'll "Use my internet connection".

Then enter your Azure Point-To-Site VPN address and then give your new connection a name. Remember this name for later

Then click Create to save your VPN.

Now open the connection properties for your newly created VPN. This is where we'll use the settings in your Azure Diallers config to setup your connection.

I'll save you the hassle of showing you me copying the settings from one connection to another and instead i'll just focus on what you need to set them to.

Flick over to the Options tab and then click PPP Settings. Click the 2 missing options Enable software compression and Negotiate multi-link for single-link connections.

Set the type of VPN to Secure Socket Tunnelling Protocol (SSTP), Turn on EAP and select Microsoft: Smart Card of other certificate as the authentication type.

Then click on Properties.

Select "Use a certificate on this computer", un-tick "Connect to these servers", and then select the certificate that uses your Azure endpoint Uri as its certificate name and then save out.

Then flick over to the Network tab. Open TCP/IPV4 then Advanced then untick Use default gateway on remote network. This setting stops internet traffic going over the VPN while you're connected so you can still surf reddit while managing your Azure environment.

Close the VPN configuration panel.

You now have a working VPN connection to Azure.

When you connect using windows you'll be asked to select the name of the client certificate you'll be authenticating with. You select the certificate you created and uploaded into Azure before you setup your connection.

When you connect using the command line you don't need to specify your certificate:

rasdial "Azure VPN"

But there's one catch: Your local machine's route table doesn't know when to send any traffic to your Azure Virtual Network. The network link is there, but Windows doesn't know what to send over your internet link and what to send over the VPN link.

You see Microsoft did a few things when they packaged your connection manager, and one of these things was to also copy a file called "cmroute.dll" and call this after connection to route your traffic onto your Virtual Network. This file altered your routing table to route traffic to your Virtual Network subnets through the VPN connection.

We can do the same thing – so lets go about it.

What's this about Routing... Rooting (for the English speakers in the room)

Now execute the following from an elevated command prompt window. This tells Windows to add an event listener based task that looks for events to our "Azure VPN" connection and if it sees them, it runs our PowerShell script.

After connecting if I check my routing table by entering route PRINT into a console application we have our routes to Azure added correctly.

We're Done!

With that we're now able to fully use an Azure Point-to-Site VPN simply from the command line. This means we can use it as part of a build server deployment, or if you're working on it all the time you can simply set it up to connect every time you login to windows.